Is Your TV a Security Risk? Embedded Devices May be the Next Target.

Eric Vanderburg

The latest televisions and Blu-Ray players come equipped with more than HD video and audio. Internet access and a host of new applications are being built in to run directly on these “smart” TVs and DVD players. A popular built-in feature is wireless access which enables the user to avoid plugging in an Ethernet cable. Accessing the internet and your favorite apps directly from your TV is convenient. However, what security risk does it pose?

Are Smart TVs and Blue Ray Players a Security Risk?

The primary question is, “Are these devices a security risk?” Examining the features of smart TVs and Blu-Ray players and comparing them to existing systems that already have a risk profile will help answer this question.

In order to access the Internet, a device needs an Internet browser. Currently, manufacturers have decided not to develop their own browsers but to use existing products that have proven effective on other platforms. Some devices come equipped with a version of Opera while others utilize Google’s Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.

Another feature offered by some devices is the ability to retrieve pictures, movies and music from networked computers by using Microsoft’s Windows “media extender technology.” The default installation of the media center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player to give access to files on the home network or office network.

Yet another consideration is the type of content that will be available on these devices. In the past year, a large number of exploits focused on Adobe Flash or Java. Blu-ray players currently support Java in order to display content often included on Blu-ray disks, while some of the TV browsers support flash content. Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.

Smart TVs and Blu-Ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for a long period of time. The longer a security breach goes unnoticed, the more damage and harm is typically caused.

Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long. It did not take long for cell phones to be exploited after internet access and applications were ported to them. Similarly, as internet capable televisions and Blu-ray players grow in popularity, they will become a more sought after target of hackers.

So What Can You Do?

Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities. These updates only enhanced functionality, not security.

Companies who have adopted Internet capable devices should consider keeping them on a separate network segment. Both home and business users can disconnect devices from the network if internet features are not needed. By staying up to date on new vulnerabilities, corrective action can be taken when needed.

For added security, also consider turning off features that automatically index or download content. This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day. When using the media center extender, consider reducing access from the default of full access to read only. Eventually, security patches for these internet capable devices will be released just like security patches are released for software applications and operating systems. However, unlike computers, users are not familiar with the firmware update process and not all companies make it easy to upgrade their products. In the future, companies will need to develop procedures for regularly updating devices.

In conclusion, a smart TV or Blue-ray player could be vulnerable once exploits are developed for these devices. As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase. The firmware on these devices can be upgraded but manufacturers have not released any security updates for their devices. Until manufactures address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:

Disconnect the device from the network unless it is needed to use specific Internet features